source: vbox/trunk/src/libs/openssl-3.3.2/test/ssl-tests/28-seclevel.cnf.in@ 108358

# -*- mode: perl; -*-
# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html


## SSL test configurations

package ssltests;
use OpenSSL::Test::Utils;

our $fips_mode;

our @tests = (
    {
        name => "SECLEVEL 3 with default key",
        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3" },
        client => { },
        test   => { "ExpectedResult" => "ServerFail" },
    },
);

our @tests_ec = (
    {
        name => "SECLEVEL 4 with ED448 key",
        server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
                    "Certificate" => test_pem("server-ed448-cert.pem"),
                    "PrivateKey" => test_pem("server-ed448-key.pem") },
        client => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
                    "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
        test   => { "ExpectedResult" => "Success" },
    },
    {
        # The Ed448 signature algorithm will not be enabled.
        # Because of the config order, the certificate is first loaded, and
        # then the security level is changed. If you try this with s_server
        # the order will be reversed and it will instead fail to load the key.
        name => "SECLEVEL 5 server with ED448 key",
        server => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
                    "Certificate" => test_pem("server-ed448-cert.pem"),
                    "PrivateKey" => test_pem("server-ed448-key.pem") },
        client => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
                    "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
        test   => { "ExpectedResult" => "ServerFail" },
    },
    {
        # The client will not sent the Ed448 signature algorithm, so the server
        # doesn't have a usable signature algorithm for the certificate.
        name => "SECLEVEL 5 client with ED448 key",
        server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
                    "Certificate" => test_pem("server-ed448-cert.pem"),
                    "PrivateKey" => test_pem("server-ed448-key.pem") },
        client => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
                    "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
        test   => { "ExpectedResult" => "ServerFail" },
    }
);

our @tests_ec_non_fips = (
    {
        name => "SECLEVEL 3 with P-384 key, X25519 ECDHE",
        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
                    "Certificate" => test_pem("p384-server-cert.pem"),
                    "PrivateKey" => test_pem("p384-server-key.pem"),
                    "Groups" => "X25519" },
        client => { "CipherString" => "ECDHE:\@SECLEVEL=3",
                    "VerifyCAFile" => test_pem("p384-root.pem") },
        test   => { "ExpectedResult" => "Success" },
    },
);

our @tests_tls1_2 = (
    {
        name => "SECLEVEL 3 with ED448 key, TLSv1.2",
        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
                    "Certificate" => test_pem("server-ed448-cert.pem"),
                    "PrivateKey" => test_pem("server-ed448-key.pem"),
                    "MaxProtocol" => "TLSv1.2" },
        client => { "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
        test   => { "ExpectedResult" => "Success" },
    },
);

push @tests_ec, @tests_ec_non_fips unless $fips_mode;
push @tests, @tests_ec unless disabled("ecx");
push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ecx");